@Cao Trong Thang
Thank you for following up on this! I reached out to our engineering team and will post their response below.
Update:
You granted permission to the application. You need to grant permission to the service principal of the app.
1.Assuming you're trying to assign Service Encryption role to an application ID like 00000002-0000-0ff1-ce00-000000000000
2.Get the objectID of the service principal:
az ad sp show --id "00000002-0000-0ff1-ce00-000000000000" --query "objectId" -o "tsv"
3.Use the object ID from previous command to assign "Managed HSM Crypto Service Encryption" role over just one key, using the role-id (instead of Name): 33413926-3206-4cdd-b39a-83574fe37a1
az keyvault role assignment create --hsm-name mhsmdemo2 --role "33413926-3206-4cdd-b39a-83574fe37a17" --scope /keys/jackrkey1 --assignee-object-id "bd8e522d-efb5-447e-a2aa-6f500446f2e1"
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.